is there any possibility to use certificate stored in azure key vault directly?
We have environment based certificate and they are stored in different key-vault on azure.
Inside spring-kafka configuration, is there any possibility to direct point to an azure certificate? for example,
ssl:
trust-store-type: AzureKeyVault
trust-store-alias: <
Related
I have a enterprise level Kafka hosted in AWS Cluster. I'm trying to consume a topic from AWS Cluster. I need to use SSL protocol for connecting to servers.
From documentation i found that, i need to enable few properties,
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=test1234
I have a problem here, i cannot store the keystore.jks and truststore.jks in the source. Our security does not allow storing sensitive data in the source.
Instead I have a encrypted keystore file, which I pull it from Vault.
Is there a possibility that i can use this encrypted keystore? I don't see such feasibility in the documentation.
A local file path is needed for SSL certificates. You'll need a wrapper script before your code starts (or before the main method consumer logic) that will download the necessary information from Vault and fills in the properties files/configs
Or use a library that handles this, such as Spring Vault
I am using jboss/keycloak docker image (uses wildfly as app server) and we are leveraging keycloak as an identity broker and user federation. I want to store the keycloak specific secrets in hashicorp vault, and basically access these secrets at runtime.
The identity service is written in java where I have created a customized vault (hashicorp) provider using the vault spi. I have used this extension to add the vault provider.The provider is integrated now, and I am able to see it in the provider list. Wanted to check how can I store and retrieve keycloak secrets (like realm ids, ldap credentials, external tokens etc) from this vault.
We plan to use client-side field-level encryption for some confidential fields in our product. To generate and manage the Customer Master key, we want to use Hashicorp Vault. KMS providers currently supported are only: Amazon Web Services KMS and Locally Managed Keyfile.
To work with Hashicorp Vault, it seems, we need to choose Locally Managed Keyfile as the KMS provider. This means that the Master key will be fetched from Vault in memory and then used in the code to encrypt/decrypt the DEK (Data Encryption Key). Ideally, the decryption of DEK should happen in the vault itself as a best practice, and master key should not be brought out of Vault.
Is there a way to achieve this? There are numerous articles around encryption at rest and integration with Hashicorp vault, but none of them is for CSFLE. Need help if anyone is using CSFLE.
Thanks
We have a lot of user P12 files (certificates) for each clients/tenant and we would like to store it securely. We don't use cloud solution like Amazon, Azure Keyvault or other datacenter solution but a hosting company.
Do you have any solution ? Vault from Hashicorp
You can use Vault to manage your own PKI and issue certificates instead. In fact, it is more than that,
From using Hashicorp Vault to manage PKI and issue certificates
Vault allows you to manage an entire Public Key Infrastructure (PKI)
to ensure secure communication among different services. This allows
companies to easily setup their own certificate authority (CA), revoke
or issue new certificates using simple API calls, thus dumping the
painful process of constantly generating self-signed certificates.
You can checkout this guide for the process of using Vault to generate and issue certificates.
We are using a service principal to create the infra in azure . we want to secure the client secret and for that we are planning to use azure key vault. if we store the client secret in key vault. we would require another service prinicpal to read the secret from the key vault and how do we secure that secret. We want to know how to resolve this and how is it done in enterprise scenario
Thanks